升级到Grails 3后,sessionRegistry为空,但身份验证正在运行

时间:2016-03-09 08:42:06

标签: spring-security grails-3.0

将旧应用程序(grails 1.3.7)升级到最新的grails版本3.1.3后,sessionRegistry保持为空。 Spring安全性有一些变化,我试图让它工作,但看起来有些东西丢失了......我正在使用spring-security-web-4.0.3.RELEASE.jar

我可以使用spring security进行身份验证,看起来一切正常。但我喜欢计算公开会议。我使用sessionRegistry.getAllPrincipals()来查找打开的会话,但现在它总是空的。

在resources.groovy:

import com.myApp.LicenceCheck
import org.springframework.security.core.session.SessionRegistryImpl
import org.springframework.security.web.session.ConcurrentSessionFilter
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy


beans = { 
        sessionRegistry(SessionRegistryImpl) 

        sessionAuthenticationStrategy(ConcurrentSessionControlAuthenticationStrategy){        
            it.constructorArgs = [sessionRegistry]
            maximumSessions    = -1            
        }

        concurrentSessionFilter(ConcurrentSessionFilter){        
            it.constructorArgs = [sessionRegistry,'/login/concurrentSession'];
        }

        licenceCheck(LicenceCheck)          
}

在bootstrap.groovy中:

SpringSecurityUtils.clientRegisterFilter('concurrentSessionFilter', SecurityFilterPosition.CONCURRENT_SESSION_FILTER)

application.groovy中的配置:

// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.basic.realmName='myApp'
grails.plugin.springsecurity.successHandler.defaultTargetUrl='/search/'
grails.plugin.springsecurity.password.algorithm='MD5'
grails.plugin.springsecurity.password.hash.iterations = 1
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.myApp.Account'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.myApp.AccountAccountGroup'
grails.plugin.springsecurity.authority.className = 'com.myApp.AccountGroup'
grails.plugin.springsecurity.authority.nameField = 'role'
grails.plugin.springsecurity.useSecurityEventListener = true
grails.plugin.springsecurity.useSessionFixationPrevention = false
grails.plugin.springsecurity.rejectIfNoRule = false
grails.plugin.springsecurity.fii.rejectPublicInvocations = false
grails.plugin.springsecurity.auth.loginFormUrl = '/login/auth'
grails.plugin.springsecurity.apf.storeLastUsername=true

grails.plugin.springsecurity.filterChain.filterNames = [
   'securityContextPersistenceFilter', 'logoutFilter',
   'authenticationProcessingFilter', 'concurrentSessionFilter',
   'rememberMeAuthenticationFilter', 'anonymousAuthenticationFilter',
   'exceptionTranslationFilter', 'filterInvocationInterceptor'
]

成功验证后,我正在尝试计算开放会话:

import org.springframework.context.ApplicationListener
import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent
import grails.util.Holders

class LicenceCheck implements ApplicationListener<InteractiveAuthenticationSuccessEvent> {

void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) {
         def sessionRegistry = Holders.grailsApplication.mainContext.getBean('sessionRegistry')
         sessionRegistry.getAllPrincipals() <= list is always empty
    }
}

这是在以前的版本(有很老的grails)。现在身份验证正在运行,但sessionRegistry保持为空。知道我错过了什么吗?

问候,grailsfan

1 个答案:

答案 0 :(得分:0)

我找到了解决这个问题的方法。

问题是新的ConcurrentSessionControlAuthenticationStrategy(ConcurrentSessionControlStrategy的新增功能)没有在sessionRegistry中注册会话。您必须将不同的策略与CompositeSessionAuthenticationStrategy结合使用。

这对我有用: Grails Spring Security max concurrent session

相关问题
最新问题